代码拉取完成,页面将自动刷新
#include "R3_ReadProcess.h"
NTSTATUS R3_ReadProcess:: R3_ReadProcess_Start(PDRIVER_OBJECT pPDriverObj)
{
PLDR_DATA ldr;
ldr = (PLDR_DATA)pPDriverObj->DriverSection;
ldr->Flags |= 0x20;
if (!NT_SUCCESS(Start_ProcessObProcess())) {
return STATUS_UNSUCCESSFUL;
}
return Start_ThradObProcess();
}
NTSTATUS R3_ReadProcess::Start_ProcessObProcess()
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"25444");
memset(&opReg, 0, sizeof(opReg));
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)preCall;
obReg.OperationRegistration = &opReg;
status = ObRegisterCallbacks(&obReg, &m_ProcessHandle);
return status;
}
NTSTATUS R3_ReadProcess::Start_ThradObProcess()
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"25444");
memset(&opReg, 0, sizeof(opReg));
opReg.ObjectType = PsThreadType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)preCall2;
obReg.OperationRegistration = &opReg;
status = ObRegisterCallbacks(&obReg, &m_ThreadHandle);
return status;
}
VOID R3_ReadProcess::UnLoad_R3_ReadProcess()
{
if (m_ProcessHandle) {
ObUnRegisterCallbacks(m_ProcessHandle);
m_ProcessHandle = NULL;
}
if (m_ThreadHandle) {
ObUnRegisterCallbacks(m_ThreadHandle);
m_ThreadHandle = NULL;
}
}
OB_PREOP_CALLBACK_STATUS R3_ReadProcess::preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
if (strcmp((char *)PsGetProcessImageFileName(IoGetCurrentProcess()),GAME_NAME) == 0 || strcmp((char *)PsGetProcessImageFileName(IoGetCurrentProcess()), GAME_NAME1) == 0)
{
return OB_PREOP_SUCCESS;
}
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0x1fffff;
pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess = 0x1fffff;
return OB_PREOP_SUCCESS;
}
OB_PREOP_CALLBACK_STATUS R3_ReadProcess::preCall2(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
if (strcmp((char *)PsGetProcessImageFileName(IoGetCurrentProcess()), GAME_NAME) == 0 || strcmp((char *)PsGetProcessImageFileName(IoGetCurrentProcess()), GAME_NAME1) == 0)
{
return OB_PREOP_SUCCESS;
}
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0x1fffff;
pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess = 0x1fffff;
return OB_PREOP_SUCCESS;
}
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手